Bug 57212

Summary: Headers returned by scripts are limited to 8190 bytes
Product: Apache httpd-2 Reporter: Roman Vasilev <vasilev>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: REOPENED ---    
Severity: normal    
Priority: P2    
Version: 2.2.22   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Roman Vasilev 2014-11-14 05:31:58 UTC
Apache Internal error with send headers > 8Kb, for example:

function randomPassword($len) {
    $alphabet = "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789";
    for ($i = 0; $i < $len; $i++) {
        $n = rand(0, count($alphabet)-1);
        $pass .= $alphabet[$n];
    }
    return $pass;
}
setcookie("test", randomPassword(8173));

And this code OK:

function randomPassword($len) {
    $alphabet = "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789";
    for ($i = 0; $i < $len; $i++) {
        $n = rand(0, count($alphabet)-1);
        $pass .= $alphabet[$n];
    }
    return $pass;
}
setcookie("test", randomPassword(8172));

Difference in one byte.

Please, check.
Comment 1 Jeff Trawick 2014-11-14 21:48:19 UTC
This is a restriction imposed by the core APIs which modules like mod_fcgid use to read the response header (ap_scan_script_header_err_core() and friends).
Comment 2 Roman Vasilev 2014-11-14 23:38:28 UTC
(In reply to Jeff Trawick from comment #1)
> This is a restriction imposed by the core APIs which modules like mod_fcgid
> use to read the response header (ap_scan_script_header_err_core() and
> friends).

You can fix this? How?
Comment 3 Jeff Trawick 2014-11-14 23:47:12 UTC
>You can fix this? How?

It may be possible to recompile everything with a bigger MAX_STRING_LEN, but I can't confirm that.

The right solution seems to be new APIs in httpd core, and changes to modules like mod_fcgid to use the new APIs.  The new APIs would respect user configuration of higher limits for script header size, just as the LimitRequestFieldSize directive controls something similar for client request headers.
Comment 4 Roman Vasilev 2014-11-15 00:04:40 UTC
#define MAX_STRING_LEN 256(In reply to Jeff Trawick from comment #3)

How much increase?
LimitRequestFieldSize present in Apache 2.2, but does not help :(

> >You can fix this? How?
> 
> It may be possible to recompile everything with a bigger MAX_STRING_LEN, but
> I can't confirm that.
> 
> The right solution seems to be new APIs in httpd core, and changes to
> modules like mod_fcgid to use the new APIs.  The new APIs would respect user
> configuration of higher limits for script header size, just as the
> LimitRequestFieldSize directive controls something similar for client
> request headers.
Comment 5 Jeff Trawick 2014-11-15 00:37:18 UTC
>define MAX_STRING_LEN 256

That's the definition in a couple of utility programs.

It would need to be edited in httpd.h to be larger than 8192.  It is probably less risky to keep MAX_STRING_LEN and HUGE_STRING_LEN equivalent, so

/* old value: #define HUGE_STRING_LEN 8192 */
#define HUGE_STRING_LEN 10000

10000 assumes that your cookies aren't so big.

You'd have to recompile all of httpd, mod_fcgid, and any other third-party modules that use HUGE_STRING_LEN.  And I'm not sure if it would all work.

Perhaps you can reduce the size of your cookie.
Comment 6 Roman Vasilev 2014-11-15 01:45:27 UTC
Yes, this solved problem. Thanks!

(In reply to Jeff Trawick from comment #5)
> >define MAX_STRING_LEN 256
> 
> That's the definition in a couple of utility programs.
> 
> It would need to be edited in httpd.h to be larger than 8192.  It is
> probably less risky to keep MAX_STRING_LEN and HUGE_STRING_LEN equivalent, so
> 
> /* old value: #define HUGE_STRING_LEN 8192 */
> #define HUGE_STRING_LEN 10000
> 
> 10000 assumes that your cookies aren't so big.
> 
> You'd have to recompile all of httpd, mod_fcgid, and any other third-party
> modules that use HUGE_STRING_LEN.  And I'm not sure if it would all work.
> 
> Perhaps you can reduce the size of your cookie.
Comment 7 Jeff Trawick 2014-11-15 12:29:57 UTC
Let's leave this open to track a better solution in the future.  Many users, such as those that obtain httpd from the OS, aren't able to recompile everything.